How can business ensure security technologies are aligned with work processes so that it is easy for end-users to do the right thing and not circumvent controls?
The two most significant factors that lead to employees circumventing security controls are lack of employee "buy in" to the controls and the absence of a good fit with "business as usual".
Both of these shortcomings can be mitigated by involving both managers and staff in the implementation of security policies. Standards such as ISO 27001 recommend that an Information Security Steering Group (ISSG) be formed with representatives from throughout the business. If the ISSG drives the security policies and guides the implementation of controls, then business needs can be taken into account when policies and controls are created. Further, if staff awareness programmes include on-going discussion of and justification for controls, then employees can understand the importance of the controls and are much more likely to comply. Involvement in both the underlying policy and the means of control will result in staff committing to the policies (and hence controls) since they feel they had a hand in designing them.
It is human nature to rebel against anything imposed by a higher authority, especially if no clear reason is given or there appears to be no benefit to the employee. This is worsened if the controls seem to hinder business as usual. A classic example is a password complexity rule, which appears to require the user to create a complex password which they have no way to commit to memory. If the complexity rule requires any three of upper case, lower case, numeric and symbol characters, the result will be a password such as "Password1". However, if staff are told why a password needs to be difficult to guess, how criminals attack passwords, and how to create a secure passphrase (rather than password) that is easy to remember, such as "I want a red Ferrari", then compliance nearly always follows.
Peter Wood is a member of the ISACA Conference Committee and founder of First Base Technologies
This was first published in April 2009